Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).
The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold. First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”). The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws. Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks. Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.
Key Provision of the Directive
The Directive’s key provision concerning applicable law is Article 4, which states that each Member State must apply its national provisions:
- “…where the processing [of personal data] is carried out in the context of activities of an establishment of the controller on the territory of a Member State” (Article 4(1)a, emphasis added); or,
- If the controller is not established within the EEA, but makes use of equipment located in a Member State to process personal data, unless such equipment is used only for transit purposes (Article 4(1)c).
Clarifications of the Existing Rules on Applicable Law
The Opinion provides guidance to assist companies in the interpretation of Article 4 of the Directive. In particular, according to the Working Party, Article 4(1)a means that:
- If a data controller has one establishment in the EEA, there will be one law for the whole EEA, depending on the location of this establishment (except with regard to security measures, where the laws of the country where a possible processor is located may apply); and,
- If a data controller has several establishments in the EEA, the application of national legislation will correspond to the activities of each establishment. This means that if a controller has establishments throughout the EEA, multiple laws may apply to a processing activity depending on the level of involvement of each establishment.
In order to determine which national laws apply to which activities, the Working Party provides guidance on a number of key concepts, and clarifies that:
- An establishment on the territory of a Member State implies the effective and real exercise of activities through stable arrangements, regardless of whether the establishment has legal personality there.
- The notion of “context of activities of an establishment” means that the place where data are located or where the controller is established is not decisive in determining which law applies. Rather, it is the location of an establishment that carries out data processing activities that should be considered. The degree of involvement of that establishment in the processing activities and the nature of these activities are also key to determining whether national data protection law applies. Such analysis calls for a functional approach that asks, “what is the true role of each establishment, and which activity is taking place in the context of which establishment?”
The Working Party also provides clarifications on Article 4(1)c, regarding controllers located outside the EEA and states that:
- Article 4(1)c only applies when Article 4(1)a is not applicable (i.e., “when the controller does not have any establishment that is relevant for the activities in question in the EEA”). However, Article 4(1)c should apply even if the controller does have an establishment in the EEA, if the processing does not take place in the context of activities of that particular establishment (i.e., if the establishment located in the EEA is not sufficiently involved in the data processing); and,
- The Working Party considers the term “equipment” to encapsulate the broader concept of “means,” which is more akin to the wording used in other translations of Article 4(1)c. In certain circumstances, the term “means” may include technical as well as human intermediaries (for example, surveys and questionnaires). The Working Party recognizes that this broad interpretation may sometimes lead to undesirable consequences, such as a possible universal application of EU data protection law, and provides recommendations for improvement as described below.
Suggestions for Improving the Directive
The Working Party’s main suggestion for the improvement of Article 4(1)a is to shift back to the country of origin principle. This would mean that only the laws of the Member State in which the main establishment of the controller is located would apply. Pursuant to the current “distributed” approach, different national laws may apply to different establishments of the controller within the EEA depending on the “context of the activities” criterion. However, further harmonization of national laws, including of security requirements, would be necessary in order to avoid “forum shopping” issues.
For Article 4(1)c, in situations where the controller is established outside the EEA, the Working Party suggests that additional criteria be developed to ensure that a sufficient connection with the EEA territory exists. Such criteria may include:
- Introducing the concept of “targeting of individuals” or a “service oriented approach.” Under this criterion, EU data protection laws would only be triggered if there is substantial targeting of individuals within EEA countries. The Working Party notes that this would be akin to the criteria used by the U.S. Federal Trade Commission with respect to enforcement of the Children’s Online Privacy Protection Act, which is triggered, among other things, if U.S. children are targeted by a website.
- Redefining the “use of equipment/means” criterion. The current application of this criterion has shown undesirable consequences, such as a possible universal application of EU data protection law. The Working Party advises that this criterion could be kept from a fundamental rights perspective and in a residual form. According to the Working Party, only a certain limited number of data protection principles should apply in these cases, such as the legitimacy and security principles.
As a final recommendation, the Working Party calls for greater harmonization and clarification regarding the requirement that data controllers located outside the EEA appoint a representative within the EEA.
View the full Opinion.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code